From 156181518d829f9554733e24b64e4359d27f65ab Mon Sep 17 00:00:00 2001 From: Gabriel Ebner Date: Sun, 25 Aug 2019 18:04:33 +0200 Subject: [PATCH] mastus: use nginx module --- mastus/gogs.nix | 64 +++++++++------------------------------ mastus/radicale.nix | 63 ++++++-------------------------------- mastus/ttrss.nix | 63 +++++++++----------------------------- mastus/vmtest.nix | 2 +- mastus/website.nix | 74 ++++++++++++--------------------------------- mastus/www.nix | 27 ++++++----------- 6 files changed, 68 insertions(+), 225 deletions(-) diff --git a/mastus/gogs.nix b/mastus/gogs.nix index 67a59bc..5e6f7ed 100644 --- a/mastus/gogs.nix +++ b/mastus/gogs.nix @@ -28,54 +28,18 @@ ''; }; - services.nginx.httpConfig = '' - server { - listen [::]:80; - listen 80; - server_name git.gebner.org; - - location /.well-known/acme-challenge { - default_type text/plain; - alias /var/lib/acme/www/.well-known/acme-challenge; - } - - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - - server { - listen [::]:443; - listen 443; - server_name git.gebner.org; - - ssl on; - ssl_certificate_key /var/lib/acme/gebner.org/key.pem; - ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_buffering off; - proxy_pass http://gogs; - client_max_body_size 30M; - break; - } - } - - upstream gogs { - server 127.0.0.1:${toString config.services.gogs.httpPort}; - } - ''; + services.nginx = { + recommendedProxySettings = true; + virtualHosts."git.gebner.org" = { + forceSSL = true; + useACMEHost = "gebner.org"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.gogs.httpPort}"; + extraConfig = '' + proxy_buffering off; + client_max_body_size 30M; + ''; + }; + }; + }; } diff --git a/mastus/radicale.nix b/mastus/radicale.nix index 14c9774..c6d8761 100644 --- a/mastus/radicale.nix +++ b/mastus/radicale.nix @@ -24,58 +24,15 @@ in security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null; - services.nginx.httpConfig = '' - server { - listen [::]:80; - listen 80; - server_name radicale.gebner.org; + services.nginx = { + recommendedProxySettings = true; + virtualHosts."radicale.gebner.org" = { + forceSSL = true; + useACMEHost = "gebner.org"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString radicalePort}"; + }; + }; + }; - location /.well-known/acme-challenge { - default_type text/plain; - alias /var/lib/acme/www/.well-known/acme-challenge; - } - - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - - server { - listen [::]:443; - listen 443; - server_name radicale.gebner.org; - - ssl on; - ssl_certificate_key /var/lib/acme/gebner.org/key.pem; - ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_buffering off; - proxy_connect_timeout 900; - proxy_send_timeout 900; - proxy_read_timeout 900; - send_timeout 900; - proxy_pass http://radicale; - client_max_body_size 30M; - break; - } - } - - upstream radicale { - server 127.0.0.1:${toString radicalePort}; - } - ''; } diff --git a/mastus/ttrss.nix b/mastus/ttrss.nix index ab98d69..68dfd80 100644 --- a/mastus/ttrss.nix +++ b/mastus/ttrss.nix @@ -68,57 +68,24 @@ security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null; - services.nginx.httpConfig = '' - server { - listen [::]:80; - listen 80; - server_name reader.gebner.org; - - location /.well-known/acme-challenge { - default_type text/plain; - alias /var/lib/acme/www/.well-known/acme-challenge; - } - - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - - server { - listen [::]:443; - listen 443; - server_name reader.gebner.org; - - ssl on; - ssl_certificate_key /var/lib/acme/gebner.org/key.pem; - ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - root /var/lib/containers/ttrss/var/lib/tt-rss; - index index.php; - } - - location /cache { - deny all; - } - location = /config.php { - deny all; - } - - location ~ \.php$ { + services.nginx = { + virtualHosts."reader.gebner.org" = { + forceSSL = true; + useACMEHost = "gebner.org"; + locations."/" = { + root = "/var/lib/containers/ttrss/var/lib/tt-rss"; + index = "index.php"; + }; + locations."/cache".extraConfig = "deny all;"; + locations."= /config.php".extraConfig = "deny all;"; + locations."~ \\.php$".extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 192.168.100.11:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name; include ${pkgs.nginx}/conf/fastcgi_params; - } - } - ''; + ''; + }; + }; + } diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix index dc4f6f3..d2157e9 100644 --- a/mastus/vmtest.nix +++ b/mastus/vmtest.nix @@ -24,7 +24,7 @@ let environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ]; networking.extraHosts = '' - 127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org + 127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at # disable letsencrypt 127.0.0.111 acme-v01.api.letsencrypt.org diff --git a/mastus/website.nix b/mastus/website.nix index f840609..bd358fb 100644 --- a/mastus/website.nix +++ b/mastus/website.nix @@ -1,65 +1,29 @@ { config, pkgs, ... }: { - services.nginx.httpConfig = '' - server { - listen [::]:443; - listen 443; - server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org; - ssl on; - ssl_certificate_key /var/lib/acme/gebner.org/key.pem; - ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; + services.nginx = { + virtualHosts."gebner.org" = { + useACMEHost = "gebner.org"; + forceSSL = true; + root = "/srv/www.gebner.org"; + extraConfig = '' + access_log logs/website_access.log; - location / { - rewrite ^(.*) https://gebner.org$1 permanent; - } - } + error_page 404 403 /404.html; - server { - listen [::]:443; - listen 443; - server_name gebner.org; + location / { + try_files $uri $uri/ @not_found; + } - ssl on; - ssl_certificate_key /var/lib/acme/gebner.org/key.pem; - ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; - - root /srv/www.gebner.org; - error_page 404 403 /404.html; - - gzip on; - gzip_types image/x-icon image/svg+xml text/css; - brotli on; - brotli_types image/x-icon image/svg+xml text/css; - - access_log logs/website_access.log; - - location / { - try_files $uri $uri/ @not_found; - } - - location @not_found { - try_files /404.cgi =404; - fastcgi_intercept_errors on; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - } - } - ''; + location @not_found { + try_files /404.cgi =404; + fastcgi_intercept_errors on; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + } + ''; + }; + }; services.fcgiwrap = { enable = true; diff --git a/mastus/www.nix b/mastus/www.nix index 616c2f2..bb03b21 100644 --- a/mastus/www.nix +++ b/mastus/www.nix @@ -16,26 +16,17 @@ services.nginx = { enable = true; - httpConfig = '' - server { - listen [::]:80; - listen 80; - server_name _; - location /.well-known/acme-challenge { - default_type text/plain; - alias /var/lib/acme/www/.well-known/acme-challenge; - } + recommendedTlsSettings = true; + recommendedOptimisation = true; - location / { - rewrite ^(.*) https://gebner.org$1 permanent; - } - } - ''; - package = with pkgs; nginxMainline.override { - modules = [ - nginxModules.brotli - ]; + sslDhparam = "/etc/nginx/dhparam.pem"; + + virtualHosts."_" = { + default = true; + addSSL = true; + useACMEHost = "gebner.org"; + globalRedirect = "gebner.org"; }; }; }